The FortiGate credential dump surfaced on VirusTotal on June 19, carrying configuration files and VPN session tokens from 430,000 devices and a claimed password count of 110 million -- numbers that Fortinet's public advisory declined to reproduce, describing the exposure instead as "a limited set of customer data from an older, previously addressed vulnerability." The older, previously addressed vulnerability appears to be CVE-2022-40684, an authentication bypass that CISA added to its Known Exploited Vulnerabilities catalogue in October 2022 and for which Fortinet issued a patch the same month. The gap between what the patch notice closed and what the credential dump opened is roughly three and a half years of unpatched perimeter devices, which is not a Fortinet problem so much as it is a procurement and asset-governance problem wearing a Fortinet label.
The structural consequence for APAC financial-sector defenders is more specific than the headline count suggests. FortiGate appliances are embedded in the network perimeter of a large share of MAS TRM-regulated institutions and HKMA-supervised licensed corporations; the TRM Guidelines (revised 2021, MAS reference RM-G-11) require annual penetration testing and network device hardening reviews, but neither requirement specifies patch-currency validation at the firmware layer as a testable control. The 110 million credential figure is not a uniform blast radius -- session tokens issued before device compromise are invalidated by rotation, and the actual exploitable set is bounded by which of those 430,000 devices had active management interfaces exposed and VPN sessions in flight at the time of collection -- but institutions that cannot answer that question for their own perimeter estate by June 30 should treat the answer as "unknown," which under MAS TRM incident classification is functionally equivalent to "yes."